gVisor

gVisor is an open-source, OCI-compatible sandbox runtime that provides a virtualized container environment. It runs containers with a new user-space kernel, delivering a low overhead container security solution for high-density applications.

gVisor integrates with Docker, containerd and Kubernetes, making it easier to improve the security isolation of your containers while still using familiar tooling. Additionally, gVisor supports a variety of underlying mechanisms for intercepting application calls, allowing it to run in diverse host environments, including cloud-hosted virtual machines.

Defense in Depth

Each sandbox has its own user-space kernel, providing additional protection from host kernel vulnerabilities.

Lightweight

Runs as a normal process and uses the host kernel for memory management and scheduling.

Zero Configuration

Capable of running most Linux applications unmodified, with zero configuration.

Read the Docs

Read the documentation to understand gVisor, its architecture and trade-offs, and how to use it.